Shodan is a well-known recon tool, but in larger scopes, it has so many results that it’s hard to find something useful without navigating through all the results pages.
In this image searching for hostnames from Microsoft we got +100k results. It would be a TON of work going through 20 pages of results trying to find something.
That's when the 'facets' search comes into play
Facets are a set of filters that can help with your search. Some basic filters are ‘country’, ‘city’, ‘ssl cert’, and so on.
Personally, the filter that helps me the most to find some interesting stuff for pentests and bug bounties is the ‘http.title’. In many cases, there will be some repetitive titles with an error message or a default response for pages without content.
So instead of going through 20 pages of search, you will have a list that only shows one time each title, and it’s filtered by occurrences.
By doing that we can go for the titles that only show up one or two times in the whole search, that’s where we can find something misconfigured, a subdomain that shouldn’t be public, internal dashboards, and many more.
Usually I don't bother looking for the most common titles, the focus is in the ones with a few appearances.
In this image, we can see that we have some titles that get our attention.
Usually I try to look for titles that contain some keywords like "Dashboard", "Welcome", "Internal" and so on.
From now on, you just gotta dig and look for more.
Top comments (0)